China-Backed Hackers Exploit Microsoft Exchange Zero-Days

Microsoft Alerts Users to Exchange Server Exploits by Hafnium

Microsoft has issued a security advisory regarding a new threat originating from a China-based state-sponsored hacking group. This group is actively exploiting four previously unknown security weaknesses within Exchange Server, the company’s enterprise-level email solution.

Details of the Hafnium Threat

The technology firm revealed on Tuesday that the group, identified as Hafnium, targets a diverse array of organizations within the United States. These include legal practices and defense industry contractors.

Furthermore, the group’s interests extend to researchers focused on infectious diseases and various policy-based think tanks.

How the Exploits Function

Hafnium leveraged the four recently identified vulnerabilities to gain unauthorized access to Exchange Server installations on corporate networks.

Successful exploitation grants attackers the ability to extract sensitive data, such as email correspondence and contact lists, from compromised organizations.

The attackers can also deploy malicious software. The combined effect of these four vulnerabilities creates a complete attack pathway, impacting servers running Exchange 2013 and subsequent versions that are hosted on-premise.

Attribution and Infrastructure

While operating from within China, Hafnium utilizes servers situated in the United States to execute its attacks.

Microsoft has confirmed that Hafnium was the primary actor observed exploiting these specific vulnerabilities. (A previous iteration of the company’s blog post mistakenly stated that Hafnium was the sole exploiting group.)

Mitigation and Response

Security updates addressing these four vulnerabilities have been released, ahead of the regularly scheduled patching cycle.

Typically, updates are released on the second Tuesday of each month, but Microsoft expedited the process in this instance.

“Despite our rapid deployment of updates for the Hafnium exploits, we anticipate that numerous nation-state actors and criminal organizations will quickly attempt to exploit any systems that remain unpatched,” stated Tom Burt, Microsoft’s Vice President for Customer Security.

Government Briefing and SolarWinds Distinction

Microsoft has informed relevant U.S. government agencies about these findings.

However, the Hafnium attacks are distinct and unrelated to the SolarWinds-related espionage campaign that targeted U.S. federal agencies.

The National Security Agency and the FBI previously attributed the SolarWinds campaign to actors “likely of Russian origin” during the final days of the prior administration.